Null sessions

 Null Sessions - Study Guide

Null Session

Null Session

Report an issue

Description

In this lab you can practice different techniques and tools against a machine vulnerable to null session!

Goal

The final goal of the lab is retrieve information from the target machine such as shares, users, groups and so on! Moreover by navigating the remote machine, you should be able to find a file name "Congratulations.txt\". Download it and explore its content.

Tools

The best tools for this lab are:

• emun4linux

• samrdump

• smbclient

Steps

Find a target in the network

Since we do not have any information about the remote network and the hosts attached to it, the first step is to find a possible target in the network lab you are attached to!

Check for null session

You should have found at least one alive host on the network. Verify if it is vulnerable to null session.

Exploit null session

It\'s time to get our hands dirty.

1. Gather information with enum4linux

Use enum4linux and gather the following information:

• Shares

• Users

• Password policies

• Groups

• Use smbclient to navigate the target machine

Mount or use the smbclient interactive command line in order to navigate the remote machine and find and inspect the content of the Congratulations.txt file.

Configuration

For this lab, a specific SMB configuration may be required. Execute the below from inside a terminal on your kali machine if the proposed tools don't produce the results you will see in the solutions or indicate errors.

vim /etc/samba/smb.conf

Now under [global] add the lines below.

client min protocol = CORE
client max protocol = SMB3
client use spnego = no
client ntlmv2 auth = no

SOLUTIONS

Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course, will dramatically reduce the benefits of a hands-on lab!

Solutions steps

Find a target in the network

We first need to verify which the remote network is. We can do it by running ifconfig and checking the IP address of our tap0 interface.

As we can see the target network is 192.168.99.0/24 (note that your IP address may be different from the previous screenshot). Let\'s run nmap in order to discover alive hosts on the network:

The previous screenshot shows that the only host alive on the network is 192.168.99.162 (besides our host: 192.168.99.20).

Check for null session

Let us target the host found in the previous step and check if it is vulnerable to null sessions. In the following screenshot, we are using enum4linux, but you can use any tool you prefer.

We can see that the File Server Service is active and the string \<20> appears in the list.

Exploit null session

It is time to get our hands dirty!

1. Gather information with enum4linux

Let us try to gather as much information as we can. To do this we can simply run enum4linux with the -a switch:

As we can see in the previous screenshots, we were able to gather a lot of information from the machine.

1. Use smbclient to navigate the target machine

A very useful tool that we can use to access remote shares and browse the remote machine is smbclient.

First let us get the list of shares using smbclient:

Let us now try to access the WorkSharing share and see what files are stored in there:

As we can see in the previous screenshot there is a file namedCongratulations.txt. Let us download it into our machine and then use the cat command to display its content.